Handshake error: SL23_GET_SERVER_HELLO


  • developer

    @BodoBiker What’s your domain name? You can send it in chat, too.



  • @rfc2822 bodo-biker.de I won’t send it public.


  • developer

    @BodoBiker I can’t reproduce the problem with bodo-biker.de. Please send the full URL and verbose logs to play@bitfire.at (see https://davdroid.bitfire.at for the OpenPGP key)



  • @rfc2822 I sent you an email.


  • developer

    According to https://www.ssllabs.com/ssltest/analyze.html?d=bodo-biker.de, your server supports only these cipher suites:

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)

    Android availability for those cipher suites is (according to SDK docs😞

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: API level 20+
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: API level 20+
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: API level 20+
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: API level 20+

    So, you will require API level 20+, i.e. Android 4.4 for smartwatches or Android 5.0 for other devices to use those ciphers.

    This is not a DAVdroid problem.



  • @rfc2822 Thank you for your investigations!



  • Can DAVdroid nevertheless help with the solution described here http://stackoverflow.com/questions/24357863/making-sslengine-use-tlsv1-2-on-android-4-4-2 ?


  • developer

    @BodoBiker I don’t know what you mean. DAVdroid already activates TLSv1.2 when it’s available (i.e. on Android >= 4.2 or so), but this won’t make non-supported ciphers work.



  • @rfc2822 Sorry, that I needle you. I’m a user. I think on the surface, helicopter view. However, my calender and contact sync are disrupted. I’m annoyed about it.

    Obviously, TLS 1.2 and cipher suite use/need each other, but have different origin. That’s why they have different “responsible persons”. Dit I understand this correct?
    I assumed TLS 1.2 and cipher suite belongs together. If you support TLS 1.2 you support the necessary cipher suites. May be you can point me to an explanation (for users).

    The linked blog entry tells (15): “Using SSLSocket or requiring API 20 was no option for our project and neither was changing the server code to allow TLSv1 or SSLv3. Our solution was to install a newer security provider using Google Play Services:
    It is possible to get the necessary cipher suite similar to the TLS 1.2 support from a third party security provider rather than from an Android update for KitKat, which is may be more unlikely?

    On the other side I ask my web hoster to aktivate the older cipher suites knowing that its settings based on a strong security advise.

    I don’t understand for whatever reason I’m the only person of 32,5 % KitKat users facing this issue.


  • developer

    @BodoBiker said in Handshake error: SL23_GET_SERVER_HELLO:

    Obviously, TLS 1.2 and cipher suite use/need each other, but have different origin. That’s why they have different “responsible persons”. Dit I understand this correct?

    TLS is a network protocol, and cipher suites are encryption algorithms. TLS makes it possible to use these algorithms on transport layer in network communication (by defining handshake, key exchange, cipher suite selection etc.).

    I assumed TLS 1.2 and cipher suite belongs together. If you support TLS 1.2 you support the necessary cipher suites. May be you can point me to an explanation (for users).

    No, you can use the protocol with any cipher suites. For instance, servers can be configured to use TLS 1.2, but many (even obsolete and unsecure) cipher suites. Or it can be configured to a very limited set of ciphers, like your server.

    It is possible to get the necessary cipher suite similar to the TLS 1.2 support from a third party security provider rather than from an Android update for KitKat, which is may be more unlikely?

    Theoretically, you may implement these cipher suites on application level. However, they don’t belong there. Cipher suites should be used from the operating system/framework, and Android doesn’t support your server’s cipher suites until API level 20.

    On the other side I ask my web hoster to aktivate the older cipher suites knowing that its settings based on a strong security advise.

    Yes, they will have to enable cipher suites which are compatible with your device. It seems they have disabled all SHA ciphers in favor of SHA256 and SHA384, which are more secure, but not supported by your device.

    Of course, you can also update your device to a recent Android version (for instance, with a custom ROM, if your manufactorer doesn’t provide an up-to-date operating system).

    I don’t understand for whatever reason I’m the only person of 32,5 % KitKat users facing this issue.

    Because your server is configured to a very limited set of ciphers, which is not a common configuration.



  • Gelöst.
    Mein Webhoster hat seine HTTP/2 Konfig erweitert und die für Android 4.4 nötigen cipher suiten ergänzt. Jetzt klappt die Synchronisation mit meiner Owncloud wieder.
    Danke für die Hilfe!



  • Appendix (Back to English 😉 😞
    May be the information from ssllabs about WebView and WebView for Android - Google Chrome is informative, at least it is an explanation (for me).

    https://community.qualys.com/thread/16297


Log in to reply
 

Similar topics

  • 11
  • 3
  • 4